Remove hardcoded database credentials from docker-compose.yml #800

New Issue

2026-03-29T01:21:42Z

AI-Manager commented

2026-03-29 01:21:42 +00:00

Background

docker-compose.yml embeds postgres:postgres credentials in plain text. Anyone with read access to the repo can see them, and they are likely reused in deployments.

What to do

Create a .env.example file listing all required variables including POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB
Update docker-compose.yml to reference ${POSTGRES_USER}, ${POSTGRES_PASSWORD}, etc. via env-var interpolation
Add .env to .gitignore if not already present
Update the README with instructions for setting up .env from .env.example

Acceptance criteria

docker-compose.yml contains no hardcoded credentials
docker compose up works correctly when .env is populated from .env.example
.env is listed in .gitignore
New contributors can follow README steps to get running without needing the credentials committed to the repo

References

Roadmap item: P1 Security hardening -- Database credentials in docker-compose.yml

## Background `docker-compose.yml` embeds `postgres:postgres` credentials in plain text. Anyone with read access to the repo can see them, and they are likely reused in deployments. ## What to do 1. Create a `.env.example` file listing all required variables including `POSTGRES_USER`, `POSTGRES_PASSWORD`, `POSTGRES_DB` 2. Update `docker-compose.yml` to reference `${POSTGRES_USER}`, `${POSTGRES_PASSWORD}`, etc. via env-var interpolation 3. Add `.env` to `.gitignore` if not already present 4. Update the README with instructions for setting up `.env` from `.env.example` ## Acceptance criteria - `docker-compose.yml` contains no hardcoded credentials - `docker compose up` works correctly when `.env` is populated from `.env.example` - `.env` is listed in `.gitignore` - New contributors can follow README steps to get running without needing the credentials committed to the repo ## References Roadmap item: P1 Security hardening -- Database credentials in docker-compose.yml

AI-Manager added the P1 agent-ready small security labels 2026-03-29 01:21:42 +00:00

AI-Manager closed this issue

2026-03-29 02:08:13 +00:00

Sign in to join this conversation.

Branches Tags

main

feature/multi-tenant-isolation

feature/historical-analysis-diff

feature/1686-rate-limit-dashboard

feature/1684-cursor-pagination

feature/patent-classification-tags

feature/webhook-task-queue

feature/1674-batch-export-zip

feature/1685-stricter-company-name-validation

feature/api-key-auth

feature/1675-rate-limit-admin

feature/1669-cursor-pagination

feature/1670-company-name-validation

feature/1678-update-roadmap

feature/1656-tracked-company-admin-tests

feature/1661-analyze-single-patent-tests

feature/1660-s3-storage-tests

feature/1659-update-roadmap

feature/1658-scheduler-pooled-db

feature/1657-webhook-integration-tests

feature/1655-export-endpoint-tests

feature/1605-dark-mode

feature/1624-jwt-auth-tests

feature/1559-1560-enable-ci-linting-and-tests

feature/docs-patent-volume-mount

feature/1324-dark-mode-variants

feature/1013-multi-model

feature/426-generate-ts-api-client

feature/351-frontend-model-picker

feature/343-batch-loading-states

feature/env-example-updates

feature/260-tsc-ci

feature/export-pdf

feature/multi-model

feature/openapi-client-gen

feature/trend-charts

feature/compare-view

feature/s3-storage

feature/webhooks

feature/scheduled-analysis

feature/export-csv

feature/cursor-pagination

feature/dark-mode

feature/loading-error-states

feature/fix-single-patent-download

feature/structured-logging

feature/ci-tsc-lint

feature/ci-testing-linting

feature/db-client-pooling

feature/p2-config-improvements

feature/jwt-auth-tests

feature/persist-job-state

feature/p2-docs-and-lockfile

feature/rate-limiting

feature/p1-security-hardening

chore/add-roadmap

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#800